Jonathan Lalou's Blog

Posts Tagged ‘Cybersecurity’

Jim Rush and Tomais Williamson, security researchers from Wellington, New Zealand, electrified DEF CON 32 with a deep dive into exploiting NTLM authentication before its planned phase-out in Windows 11 and beyond. Representing CyberCX, they unveiled new vulnerabilities, bypassed existing fixes, and exposed insecure defaults in Microsoft’s NTLM-related controls. Their fast-paced presentation, infused with humor and technical depth, offered a final hurrah for NTLM hacking, urging attendees to turn off NTLM where possible.

Revisiting NTLM’s Persistent Flaws

Jim and Tomais began by contextualizing NTLM, a 25-year-old authentication protocol still prevalent despite its known weaknesses. They highlighted Microsoft’s plan to deprecate NTLM, yet emphasized its lingering presence in legacy systems. Their research uncovered new bugs, including a bypass of a previously patched CVE, allowing attackers to coerce NTLM hashes from various applications. By exposing these flaws, Jim and Tomais underscored the urgency of transitioning to more secure protocols like Kerberos.

Novel Exploitation Techniques

The duo detailed their innovative approaches, combining multiple bug classes to extract NTLM hashes from unexpected sources, such as document processors and build servers. Their live demonstrations showcased “cooked” bugs—exploits leveraging URL inputs to trigger hash leaks. Jim’s anecdotes about their discoveries, including a nod to their CyberCX colleague’s assistance, highlighted the collaborative nature of their work. These techniques revealed NTLM’s fragility, especially in environments with permissive defaults.

Insecure Defaults and Systemic Gaps

Focusing on Microsoft’s NTLM security controls, Jim and Tomais exposed glaring gaps, such as libraries allowing unauthenticated hash extraction. They demonstrated how attackers could exploit these defaults in applications like Microsoft Teams or PDF generators, turning innocuous features into attack vectors. Their findings, supported by CyberCX’s research efforts, emphasized the need for organizations to audit NTLM usage and disable it wherever feasible to prevent hash coercion.

Community Collaboration and Future Steps

Concluding, Jim and Tomais called for community engagement, inviting attendees to share ideas for extracting hashes from novel sources like video games. They praised Microsoft’s MSRC team for their responsiveness and urged continued disclosure to advance research. Their advice to “turn off NTLM, then turn it back on when someone screams” humorously captured the challenge of legacy system dependencies, encouraging proactive steps toward more secure authentication frameworks.

Links:

• CyberCX company website

J. Hoffman and Colby Morgan, offensive security engineers at Robinhood, delivered a compelling presentation at DEF CON 32, exploring vulnerabilities in the 1Password macOS desktop application. Focusing on the risks posed by compromised endpoints, they unveiled multiple attack vectors to dump local vaults, exposing weaknesses in 1Password’s software architecture and IPC mechanisms. Their research, blending technical rigor with practical demonstrations, offered critical insights into securing password managers against local threats.

Probing 1Password’s Security Assumptions

J. and Colby opened by highlighting the immense trust users place in password managers like 1Password, which safeguard sensitive credentials. They posed a critical question: how secure are these credentials if a device is compromised? Their research targeted the macOS application, uncovering vulnerabilities that could allow attackers to access vaults. By examining 1Password’s reliance on inter-process communication (IPC) and open-source components, they revealed how seemingly robust encryption fails under local attacks, setting the stage for their detailed findings.

Exploiting Application Vulnerabilities

The duo detailed several vulnerabilities, including an XPC validation bypass that enabled unauthorized access to 1Password’s processes. Their live demonstrations showcased how attackers could exploit these flaws to extract vault data, even on locked systems. They also identified novel bugs in Google Chrome’s interaction with 1Password’s browser extension, amplifying the attack surface. J. and Colby’s meticulous approach, including proof-of-concept scripts released at Morgan’s GitHub, underscored the need for robust validation in password manager software.

Mitigating Local Threats

Addressing mitigation, J. and Colby recommended upgrading to the latest 1Password versions, noting fixes in versions 8.10.18 and 8.10.36 for their disclosed issues. They urged organizations to enhance endpoint security, emphasizing that password managers are prime targets for red teamers seeking cloud credentials or API keys. Their findings, developed over a month of intensive research, highlighted the importance of proactive patching and monitoring to safeguard sensitive data on compromised devices.

Engaging the Security Community

Concluding, J. and Colby encouraged the DEF CON community to extend their research to other password managers, noting that similar vulnerabilities likely exist. They shared their code to inspire further exploration and emphasized responsible disclosure, having worked with 1Password to address the issues. Their call to action invited attendees to collaborate on improving password manager security, reinforcing the collective effort needed to protect critical credentials in an era of sophisticated local attacks.

Links:

• Colby Morgan’s GitHub
• Robinhood company website

Martin Doyhenard, a seasoned security researcher, captivated the DEF CON 32 audience with his exploration of innovative web cache exploitation techniques. Focusing on exploiting ambiguities in RFC standards, Martin unveiled two novel methods—Static Path Deception and Cache Key Confusion—that push the boundaries of web cache attacks. Through detailed case studies and a live demonstration, he showcased how these techniques can compromise application confidentiality, enable arbitrary cache poisoning, and even achieve full site takeovers, providing actionable insights for security practitioners to identify and mitigate such vulnerabilities.

Unveiling Web Cache Mechanics

Martin began by elucidating the inner workings of web caches, which store frequently accessed content to enhance website performance. He highlighted how caches rely on URL parsing to determine what to store and serve, yet inconsistencies in parsing across platforms create exploitable vulnerabilities. By leveraging ambiguities in RFC standards, attackers can manipulate cache behavior to serve malicious content or expose sensitive data. Martin’s clear explanation set the stage for understanding the sophisticated attacks that followed, emphasizing the critical role of URL parsers in web security.

Static Path Deception: Breaching Confidentiality

Delving into his first technique, Martin introduced Static Path Deception, a method that exploits cache handling of static file paths to compromise application confidentiality. Using a case study involving Nginx behind Cloudflare, he demonstrated how attackers can trick caches into serving sensitive content to unauthorized users. By crafting specific URL patterns, Martin showed how this technique bypasses traditional cache restrictions, exposing private data. His findings underscore the need for consistent cache configuration across content delivery networks and web servers to prevent such breaches.

Cache Key Confusion: Poisoning and Denial of Service

Martin then presented Cache Key Confusion, a technique exploiting discrepancies in how platforms like Microsoft Azure Cloud normalize cache keys. He illustrated how attackers can manipulate URL parsing to poison caches, serving malicious content to all users or triggering denial-of-service attacks. His live demo combined Cache Key Confusion with an open redirect vulnerability to execute arbitrary JavaScript, achieving a complete site takeover. This powerful demonstration highlighted the far-reaching impact of parser inconsistencies and the potential for significant disruption in cloud-based environments.

Mitigation and Community Engagement

Concluding, Martin shared practical strategies to counter these vulnerabilities, urging organizations to audit cache configurations and disable key normalization where possible. He introduced his open-source tool, Cache Killer, designed to detect parsing discrepancies, and encouraged the DEF CON community to contribute to its development. By sharing references to prior research and his own findings, Martin fostered a collaborative approach to improving web cache security, inspiring attendees to hunt for similar vulnerabilities in bug bounty programs and beyond.

Links:

• None available

Tiberius, presenting as “Toes” with the OnlyFeet CTF team, hosted the lively “Feet Feud” game show at DEF CON 32, bringing together cybersecurity enthusiasts for a fun, interactive competition. Team captains Ali Diamond, known for her Hack 5 ThreatWire hosting, and John Hammond, a prominent cybersecurity educator, led their teams in a spirited battle of wits. The event, a fan favorite after unofficial runs in previous years, engaged the audience with hacker-themed challenges and quirky prizes, fostering community spirit and camaraderie.

The Game Show Experience

Tiberius kicked off the event with infectious enthusiasm, introducing Ali and John as team captains. Audience members, selected based on vibrant attire like orange bow ties, joined the teams, creating an electric atmosphere. The game, inspired by classic game shows, featured cybersecurity-themed questions and challenges, blending humor with technical knowledge. Tiberius’s dynamic hosting, supported by assistants Helen and Wolfie, ensured a fast-paced, engaging experience that kept the crowd entertained.

Celebrating the Hacker Community

The event celebrated the DEF CON community’s creativity and collaboration, with Ali and John leading their teams through rounds that tested hacking trivia and problem-solving skills. Prizes, including Hack The Box VIP vouchers, coding socks, and whimsical baby foot candles, added a playful touch. Tiberius emphasized the importance of community-driven events like Feet Feud, which provide a lighthearted counterbalance to the conference’s technical intensity, strengthening bonds among attendees.

Building on Tradition

Reflecting on Feet Feud’s evolution from a small gathering to a main-stage event, Tiberius highlighted its growing popularity, with this year’s crowd far exceeding the previous high of 40 attendees. The game’s success, supported by sponsors like Hack The Box, underscores its role in fostering a sense of belonging within the cybersecurity community. By encouraging audience participation and celebrating victories with quirky rewards, Feet Feud reinforces DEF CON’s unique blend of learning and fun.

Looking Ahead

Concluding, Tiberius expressed hope for Feet Feud’s return with even grander prizes, thanking Helen and Wolfie for their invaluable support. The event’s success lies in its ability to unite hackers in a shared celebration of their craft, inspiring future iterations that continue to blend competition with camaraderie. Ali and John’s leadership, combined with the audience’s enthusiasm, ensures Feet Feud remains a cherished DEF CON tradition.

Links:

• Ali Diamond on LinkedIn
• John Hammond on LinkedIn
• Hack The Box website

Helvio Carvalho Junior, a renowned security researcher and CEO of Sec4US, unveiled his groundbreaking HookChain technique at DEF CON 32, offering a fresh perspective on evading Endpoint Detection and Response (EDR) systems. By combining Import Address Table (IAT) hooking, dynamic System Service Number (SSN) resolution, and indirect system calls, Helvio demonstrated how HookChain stealthily redirects Windows subsystem execution flows, bypassing EDR monitoring without altering application code. His presentation, enriched with live demonstrations, challenged cybersecurity conventions and spurred discussion on adaptive defense strategies.

Understanding EDR Limitations

Helvio opened by outlining the rapid evolution of digital threats, which continuously challenge EDR solutions designed to monitor API calls through Ntdll.dll. He explained that traditional EDRs rely on hooking key functions to detect malicious activity, but these mechanisms can be circumvented. HookChain exploits this by manipulating the execution flow to avoid monitored interfaces, achieving stealth without modifying the source code of applications or malware. Helvio’s approach highlights the need for EDRs to evolve beyond static monitoring techniques.

Technical Mechanics of HookChain

Delving into the technical core, Helvio detailed HookChain’s methodology, which integrates IAT hooking to redirect function calls, dynamic SSN resolution to adapt to varying Windows versions, and indirect system calls to bypass EDR hooks. His live demo showcased shellcode injection into a process, executing it undetected by EDRs like CrowdStrike and SentinelOne. By leveraging techniques like Halo’s Gate to locate unhooked functions, HookChain ensures malicious payloads operate invisibly, achieving an impressive 66% success rate against top EDR products listed in Gartner’s Magic Quadrant.

Testing and Vendor Responses

Helvio shared results from testing HookChain against various EDR solutions, including remote process injection and credential dumping with tools like Mimikatz. His findings revealed that while some vendors, such as SentinelOne, implemented patches to counter HookChain, others lagged in response. He emphasized the importance of open collaboration, noting that two vendors engaged with him to test mitigations. Helvio’s transparency, including sharing his whitepaper and source code on GitHub, encourages the community to refine and challenge his techniques, fostering stronger defenses.

Future Directions for Cybersecurity

Concluding, Helvio urged the DEF CON community to embrace continuous innovation in security research. HookChain not only exposes vulnerabilities in current EDR systems but also paves the way for more adaptive solutions. He advocated for proactive strategies that anticipate emerging threats, inspiring researchers to explore new evasion techniques and defenders to enhance monitoring beyond Ntdll.dll. His work, rooted in a passion for discovery, sets a benchmark for advancing endpoint security in a dynamic threat landscape.

Links:

• Helvio Carvalho Junior on LinkedIn
• Sec4US website
• HookChain GitHub repository

Aapo Oksman, a seasoned security researcher specializing in IoT and network protocols, delivered a compelling presentation at DEF CON 32 on harnessing private Access Point Names (APNs) to analyze mobile and IoT device traffic. As devices increasingly rely on 4G and 5G networks, bypassing traditional Wi-Fi monitoring, Aapo’s innovative approach enables security professionals to inspect, filter, and tamper with mobile network traffic. His talk provided practical techniques for both offensive and defensive cybersecurity, from penetration testing to detecting malicious activity in mobile ecosystems.

Challenges in Mobile Network Monitoring

Aapo began by highlighting the shift in device communication from Wi-Fi to mobile networks, which complicates traditional traffic analysis due to direct connections to ISP-operated base stations. Setting up private base stations, while possible, is costly and complex. Aapo introduced private APNs as a cost-effective alternative, allowing users to create isolated networks within ISP infrastructure. This approach grants visibility into device communications, overcoming the limitations of locked-down devices and enabling detailed traffic analysis for security purposes.

Harnessing Private APNs for Security

Delving into the technical details, Aapo explained how private APNs can be configured to route mobile traffic through controlled environments, such as firewalls or custom servers. His demonstration showcased the setup process, emphasizing affordability and scalability, with costs decreasing as more devices are added. By intercepting IP traffic, security professionals can perform penetration testing on IoT devices or monitor for malicious activity, such as command-and-control (C2) communications. Aapo’s approach leverages ISP infrastructure to create a controlled network environment, enhancing both offensive and defensive capabilities.

Uncovering Advanced Malware Threats

Aapo addressed the growing sophistication of mobile malware, which often avoids Wi-Fi or VPN connections to evade detection. He cited an example of a misconfigured malware detected via Wi-Fi traffic, underscoring that advanced threats are designed to operate solely over mobile networks. Private APNs enable defenders to monitor these communications, identifying C2 servers or other malicious activities that would otherwise go unnoticed. Aapo’s insights highlight the critical need for innovative monitoring techniques to counter evolving mobile threats.

Practical Applications and Future Directions

Concluding, Aapo shared project details and encouraged the DEF CON community to explore private APNs for their research. He emphasized the dual-use potential of his approach, enabling both penetration testers and defenders to gain deeper insights into mobile device behavior. By connecting private APNs to existing security infrastructure, organizations can enhance their ability to detect and mitigate threats. Aapo’s work paves the way for future advancements in mobile network security, urging continued exploration of ISP-based solutions.

Links:

• None available

Charles Fox, a security researcher with a knack for uncovering hidden vulnerabilities, captivated the DEF CON 32 audience with his exploration of CVE-2024-2961, a long-standing buffer overflow in the GNU C Library (glibc) that he leveraged to compromise the PHP engine. Discovered by chance while auditing PHP, Charles’s work revealed new remote code execution (RCE) vectors and previously unknown zero-day vulnerabilities. His presentation offered a deep dive into the internals of PHP, showcasing innovative exploitation techniques and their impact on the broader PHP ecosystem, while providing actionable insights for securing web applications.

Discovering the glibc Vulnerability

Charles stumbled upon CVE-2024-2961 while auditing PHP, though the flaw resided in glibc’s iconv library, responsible for character set conversion. This buffer overflow, overlooked for years, presented a potent opportunity for exploitation within PHP’s context. Charles detailed how his accidental discovery unfolded, emphasizing the importance of thorough code audits. By analyzing the iconv library’s behavior, he identified a pathway to manipulate PHP’s execution environment, transforming a seemingly innocuous bug into a powerful attack vector. His approach underscores the value of curiosity-driven research in uncovering critical security flaws.

Crafting Remote Code Execution Exploits

Delving into the technical intricacies, Charles explained two distinct methods to achieve RCE using the glibc vulnerability. The first targeted PHP filters, a lesser-known component of the PHP engine, which he manipulated to execute arbitrary code remotely. The second approach exploited direct calls to iconv, bypassing conventional security checks. His live demonstration showcased a sophisticated exploit that navigated PHP’s memory management constraints, even in scenarios without output visibility or with randomized memory allocations. Charles’s ability to achieve a shell under such conditions highlighted the vulnerability’s severity and his ingenuity in exploit development.

Impact on the PHP Ecosystem

Charles explored the broader implications of CVE-2024-2961, revealing its reach across popular PHP libraries and applications, including webmail platforms like Roundcube. He noted that email headers specifying charsets provided an ideal entry point for exploitation, as attackers could craft malicious inputs to trigger the buffer overflow. His analysis of affected sinks, from well-known functions to obscure code paths, underscored the pervasive risk within PHP-based systems. By sharing his findings, Charles aimed to alert developers to the hidden dangers in widely used software and encourage proactive vulnerability management.

Mitigation Strategies for Developers

Concluding, Charles offered practical recommendations to fortify PHP applications against similar exploits. He urged developers to update glibc to patched versions and scrutinize charset handling in their codebases. Additionally, he advocated for robust input validation and the use of secure coding practices to minimize exposure to buffer overflows. His work, shared openly with the community, empowers developers to strengthen their systems and inspires further research into PHP’s security landscape, ensuring the web remains a safer environment.

Links:

• None available

Javadi, Levy, and Draffe, a trio of security researchers, presented a groundbreaking study at DEF CON 32, unraveling vulnerabilities in HID Global’s iCLASS SE platform, a widely deployed electronic physical access control system. Over seven years, they reverse-engineered its complex chain of trust, uncovering flaws that enabled the recovery of cryptographic keys from CC EAL 5+ accredited secure elements. Their talk detailed the attack chain and provided practical mitigations for organizations relying on iCLASS SE.

Reverse-Engineering iCLASS SE

Javadi opened by contextualizing the ubiquity of HID’s iCLASS SE readers in government agencies and Fortune 500 companies. The team’s seven-year journey involved analyzing hardware, firmware, and software components to understand the platform’s security architecture. They discovered a series of implementation defects that compromised the system’s cryptographic integrity, challenging the notion that iCLASS SE was among the most secure access control solutions available.

Uncovering Cryptographic Flaws

Levy detailed the attack chain, which exploited pitfalls in the iCLASS SE’s secure elements. By targeting weaknesses in the hardware and software trust chain, they recovered sensitive cryptographic key material, effectively accessing the “keys to the kingdom.” Their approach combined advanced reverse-engineering techniques with exploitation of interoperability issues, particularly those tied to legacy Wiegand protocols, which undermined the platform’s security.

Operational Implications and Risks

Draffe explored the real-world implications, noting that standard key users face moderate risks, while advanced threat actors could exploit these flaws with significant skill. The vulnerabilities allow unauthorized access to physical systems, posing threats to high-security environments. The team’s findings underscore the dangers of relying on outdated protocols and the need for robust risk mitigation strategies to protect critical infrastructure.

Mitigating and Upgrading Security

Concluding, Javadi offered comprehensive guidance, recommending users transition to custom keys like HID’s Elite keys, which the vendor is offering fee-free for the first year. For advanced users, upgrading to the latest hardware and engaging with integrators to assess risks is critical. The researchers emphasized building security like an “onion” with layered defenses, urging organizations to work closely with HID to implement practical mitigations and enhance system resilience.

Links:

• HID Global website

Erwin Karincic and Woody, security researchers with a passion for wireless technologies, delivered a revealing presentation at DEF CON 32 on vulnerabilities in goTenna Pro, a device promising secure, off-grid mobile mesh networking. Their rigorous examination exposed flaws in the implementation of AES-256 encryption, enabling message tracking, interception, and injection. Erwin and Woody’s work, conducted in collaboration with goTenna, culminated in open-source tools and actionable recommendations to enhance device security, challenging the community to verify claims of security.

Unmasking goTenna’s Security Claims

Erwin introduced the goTenna Pro, a radio used by personnel requiring secure communication without cellular or satellite infrastructure. Despite its AES-256 encryption claims, their analysis revealed vulnerabilities allowing fingerprinting and tracking of every message, regardless of encryption. By dissecting the device’s hardware and software, Erwin and Woody uncovered implementation flaws that undermined its security guarantees, highlighting the dangers of trusting datasheets without verification.

Exploiting Mesh Network Vulnerabilities

Woody delved into the technical details, demonstrating how they exploited goTenna’s mesh network to intercept and decrypt messages. Their live demo showcased the ability to inject malicious messages into the network, exposing operational risks for users in sensitive environments. The researchers developed open-source tools to replicate these exploits, encouraging the DEF CON community to test similar devices. Their methodology emphasized systematic testing of RF protocols, revealing weaknesses in goTenna’s encryption implementation.

Collaborative Remediation Efforts

Erwin highlighted their constructive engagement with goTenna, which responded positively to their findings. The company acknowledged the vulnerabilities and worked to address them, a rare success in vendor collaboration. The researchers also thanked organizations like the Electronic Frontier Foundation (EFF) and CISA for supporting their work, emphasizing the importance of community-driven efforts to hold manufacturers accountable and improve device security.

Empowering Secure Communication

Concluding, Woody urged the DEF CON community to challenge security claims and test equipment rigorously. They released their tools open-source, inspiring further research into mesh technologies like LoRa and Meshtastic. By sharing their findings and mitigation strategies, Erwin and Woody aim to reduce the risk of compromise for goTenna users, advocating for secure-by-design principles in RF communication devices.

Links:

• Electronic Frontier Foundation website
• CISA website

Michael Gorelik and Arnold Osipov, security researchers from Morphisec, unveiled a series of devastating remote code execution (RCE) vulnerabilities in Microsoft Outlook at DEF CON 32. Their presentation focused on CVE-2024-30103, an evolution of CVE-2024-21378, which exploits Outlook’s COM object forms to trigger RCE from seemingly benign emails. Michael and Arnold’s meticulous research revealed additional NTLM credential leaks, exposing systemic weaknesses in Outlook’s security model and offering critical mitigation strategies.

The Evolution of Outlook Exploits

Michael kicked off by tracing the timeline of Outlook vulnerabilities, noting how incomplete patches often leave residual attack surfaces. He explained how CVE-2024-21378, a flaw in Outlook’s form handling, opened the door to RCE by allowing attackers to embed malicious COM objects in emails. Morphisec’s research built on this, uncovering CVE-2024-30103, which exploits trusted sender scenarios to execute code automatically upon email preview. Michael’s narrative highlighted the cascading effect of these vulnerabilities, turning routine email interactions into potential attack vectors.

Exploiting NTLM Leaks

Arnold delved into the NTLM credential leak issue, which Microsoft rated as medium risk due to mitigations like preview mode for untrusted senders. However, he demonstrated how compromised internal accounts could bypass these protections, enabling automatic image downloads that trigger NTLM leaks. Arnold’s analysis revealed that domain-joined devices are particularly vulnerable, as attackers can exploit trusted sender status within organizations to harvest credentials, amplifying the risk of lateral movement across networks.

Technical Breakdown of RCE Chains

Michael provided a detailed breakdown of the RCE exploit chain, showcasing how attackers manipulate Outlook’s form controls to execute arbitrary code. He highlighted the role of compound monitors, which process email content, in enabling these attacks. By leveraging insights from researchers like NetSPI and Check Point, Morphisec constructed a robust exploit that bypasses existing patches. Michael’s technical exposition underscored the complexity of securing Outlook’s extensive attack surface, particularly when patches introduce new vulnerabilities.

Mitigating Outlook Vulnerabilities

Concluding, Arnold shared actionable recommendations, including enabling SMB signing, managing outbound SMB traffic, and adopting Windows 11’s default NTLM restrictions. He emphasized the need for organizations to monitor trusted sender configurations and enhance email security protocols. Michael and Arnold’s work, supported by Morphisec’s threat research, calls for a reevaluation of Outlook’s security architecture, urging the cybersecurity community to collaborate on robust defenses against these evolving threats.

Links:

• Morphisec website
• NetSPI website
• Check Point website